Public bug reported: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash.
$ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/03/01 $ set | grep XX= $ [[ -v $XX ]] ================================================================= ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978 READ of size 1 at 0xf4d024d5 thread T0 #0 0x56763b98 (/usr/bin/mksh+0x193b98) 0xf4d024d5 is located 0 bytes to the right of 5-byte region [0xf4d024d0,0xf4d024d5) allocated by thread T0 here: #0 0xf7a285bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565e115d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) Shadow bytes around the buggy address: 0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01 0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa 0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd 0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa 0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==362==ABORTING ** Affects: mksh Importance: Undecided Status: New ** Tags: crash fuzzing -- You received this bug notification because you are a member of mksh Mailing List, which is subscribed to mksh. Matching subscriptions: mkshlist-to-mksh-bugmail https://bugs.launchpad.net/bugs/1857826 Title: mksh ASAN heap-buffer-overflow Status in mksh: New Bug description: When compiling mksh with ASAN and running [[ -v $XX ]] ($XX being an undefined environment variable) mksh will crash. $ echo $KSH_VERSION @(#)MIRBSD KSH R57 2019/03/01 $ set | grep XX= $ [[ -v $XX ]] ================================================================= ==362==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4d024d5 at pc 0x56763b99 bp 0xff8cc988 sp 0xff8cc978 READ of size 1 at 0xf4d024d5 thread T0 #0 0x56763b98 (/usr/bin/mksh+0x193b98) 0xf4d024d5 is located 0 bytes to the right of 5-byte region [0xf4d024d0,0xf4d024d5) allocated by thread T0 here: #0 0xf7a285bd in __interceptor_realloc (/lib/i386-linux-gnu/libasan.so.5+0x1125bd) #1 0x565e115d (/usr/bin/mksh+0x1115d) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/mksh+0x193b98) Shadow bytes around the buggy address: 0x3e9a0440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x3e9a0480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x3e9a0490: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa 0x3e9a04a0: fa fa fd fa fa fa 00 fa fa fa 00 00 fa fa 00 01 0x3e9a04b0: fa fa 00 04 fa fa 00 01 fa fa fd fd fa fa fd fa 0x3e9a04c0: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd 0x3e9a04d0: fa fa 00 fa fa fa fd fa fa fa fa fa fa fa fa fa 0x3e9a04e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==362==ABORTING To manage notifications about this bug go to: https://bugs.launchpad.net/mksh/+bug/1857826/+subscriptions